Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Abnormal LSASS Process Access and Injection (RedCanary Threat Detection Report)
2id: c62c85ad-bbe7-4937-b77a-2cc984a1449d
3status: experimental
4description: Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/lsass-memory/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.credential_access
11 - attack.t1003.001
12logsource:
13 category: process_access
14 product: windows
15detection:
16 selection:
17 SourceImage|endswith:
18 - '\powershell.exe'
19 - '\taskmgr.exe'
20 - '\rundll32.exe'
21 - '\procdump.exe'
22 - '\procexp.exe'
23 TargetImage|endswith: '\lsass.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Because of the amount of data it stores in memory, LSASS is a common target for adversaries looking to steal sensitive credentials.
Read More
Related rules
- Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)
- LSASS Running Under Non-Privileged User Context (RedCanary Threat Detection Report)
- Rundll32 Dumping Credentials with MiniDump Function (RedCanary Threat Detection Report)
- Mimikatz Command Line With Ticket Export
- Abnormal LSASS Child and Parent Process Relationships